Controls

All plans

Permissions, roles, and access controls finance teams can actually trust.

Role-based permissions. Per-entity access. Dual-Control Mode on every plan. Workplace Associate restricted portal. SAML SSO with domain enforcement on Enterprise. 2FA. Audit trail on every change.

Roles

01

Roles that map to how finance teams really work.

Admin, Finance, Member, Viewer, and the Workplace Associate role for restricted portal users. Members and Finance users carry a permission set admins can customize per user. Per-user entity grants layer on top; users see only the entities they're granted, in every report and search result.

  • Admin, Finance, Member, Viewer roles.
  • Workplace Associate role: restricted portal for PO submitters and vendor-mapped bill approvers.
  • Per-user entity grants.
  • Per-user permission customization.

Dual-Control Mode

02

Drafter and approver, separated.

Available on every plan. The user preparing a journal entry, bill, invoice, or settings change cannot be the same user who posts or applies it. Configurable approval chains and routing rules. Separation of duties enforced, not optional.

  • Drafter and approver enforced as different users.
  • Configurable approval chains.
  • Separation of duties at the action level.
  • Per-record audit trail with provenance.

SSO and 2FA

03

SAML SSO and two-factor authentication.

SAML SSO with domain verification and just-in-time user provisioning on Growth (1 connection) and Enterprise (unlimited connections + enforcement). Two-factor authentication is available on every plan via email OTP or authenticator app (TOTP).

  • SAML SSO: 1 connection on Growth, unlimited + enforcement on Enterprise.
  • Two-factor authentication on every plan.
  • Domain verification and just-in-time provisioning.
  • Automatic 15-minute inactivity timeout on every session.

Audit trail

04

Every action recorded.

Immutable audit log of every user action against every record, capturing who changed what, what the prior value was, when the change was applied, and which IP and session.

Why Quoining

05

Real roles on every plan, not admin-or-nothing.

Entry-level tools give everyone the keys; enterprise suites sell role-based control back to you as an add-on. Quoining ships a full permission matrix, approval workflows, and an immutable audit log on every plan.

  • Granular permissions across 41 actions, from posting to settings.
  • Approval chains and dual-control configurable per workflow.
  • Every change carries who, what, and when, immutably.

Want a closer look?

See permissions & roles in a guided demo.

Walk through the workflow with our team. We'll show how it fits your books and answer questions on plan fit, migration, and rollout.

Questions

About permissions & roles.

Is Dual-Control Mode an Enterprise feature?

No. Dual-Control Mode is available on every plan, including Essentials.

What is the Workplace Associate role for?

A restricted portal role for PO submitters and vendor-mapped bill approvers; they see only their own work and the bills assigned to them, never the full accounting app.

When does SAML SSO become available?

Growth includes 1 SSO connection. Enterprise unlocks unlimited SSO connections and SSO enforcement (users must sign in via SSO).

Ready to put permissions & roles to work?

Start a free account in minutes, see the plan that fits, or book a guided demo with our team.